What Is Quantstamp (QSP)? | A Guide to the Smart Contract Auditing Platform

What Is Quantstamp?

Quantstamp is a security-auditing protocol for smart contracts. As a dapps platform, Ethereum has proven its security time and again. However, dapps and smart contracts on top of Ethereum may still have bugs in which malicious players can cause havoc on the network. The two most notable examples of these being the $55 million DAO hack and the $30 million Parity wallet bug. These issues not only affect the people who’ve had their funds stolen, but they also diminish the credibility of the entire ecosystem.

Writing smart contracts is already a tough job. Like any other computer programming, writing them without any bugs is near impossible. To add fuel to the fire, the rate at which smart contracts are being written (estimated 10 million by the end of 2018) is outpacing the resources needed to audit them. Even with robust security auditing, a small bug could slip through the cracks causing catastrophe down the road.

Here’s where Quantstamp comes into play. The protocol includes a cost-effective, scalable system to easily audit your Ethereum-based smart contracts. In this Quantstamp protocol guide, we’ll talk about:

How Does Quantstamp Work?

Although the team is focusing on Ethereum now, they’re building the Quantstamp protocol in a way that’s platform agnostic. This means that it can eventually be used on other smart contract platforms like Lisk and NEO. The Quantstamp protocol has a two-pronged approach to security auditing:

To ensure no bad actors are submitting malicious validation software, Contributors must be voted in according to the governance mechanism (more on this later).

Running the Validation Node takes a significant amount of computing power. Because of this, Validators also receive QSP payment for providing computing power to the network. To ensure that Validators don’t act maliciously, they must stake their QSP tokens to earn their reward.

An Example

As a developer, you want to deploy a smart contract on Ethereum. Considering you don’t want to go down in history as the guy who lost millions of people’s money, you have your contract audited. To do so, you send your smart contract, with the source code in the data field, directly from your wallet to Quantstamp, including QSP tokens with the transaction. On the next Ethereum block, Validators perform security checks. After they reach consensus, they append the proof-of-audit and report data to the next block.

You can choose whether your security report is made public or private.

UPDATE: It appears as if, now, the Quanstamp team also offers manual audits in exchange for ETH or USD.

Quantstamp Audit System

Bounty Payouts

When you submit your smart contract for auditing, you also include a set of QSP tokens for bounty rewards and a deadline for when Bug Finders can submit issues. The bounty deadline reward size is up to you. If the deadline passes with no found bugs, the QSP bounty reward is returned to you.

Quantstamp doesn’t guarantee flawless code after this process, but they do assure users that the automated testing and crowdsourced bug-hunting greatly reduce issues.

Protocol Governance

QSP token holders control protocol, validation smart contracts, and Validation Node upgrades. The governance model uses a time-locked multisig in which any token holder can propose a change. The more votes a change has, the quicker it occurs. Changes approved by all members occur within an hour. This time doubles with each 5% of members that don’t vote and quadruples for each 5% that vote against it.

Proof-of-Caring

Earlier in 2018, Quantstamp implemented an in-house Proof-of-Caring system to reward community members and loyal QSP token holders. Once you submitted your proof, you’d receive an airdrop from an ICO that Quantstamp has audited. This proof consisted of holding your tokens in a wallet (not an exchange) for a certain amount of time, contributing to social media outreach, and/or any other community activities.

The Quantstamp team has since ended this program and no longer rewards community members with ICO airdrops. It’s been a point of contention in the community.

Quantstamp Team & Progress

The Quantstamp team consists of 30+ members and advisors with over 500 Google Scholar citations. Steven Stuart (CTO) and Richard Ma (CEO) founded the team in June 2017. Stuart worked 5 years in Canada’s cryptologic agency in the Department of National Defense and previously founded Many Trees, a start-up that uses GPUs for Big Data analytics and machine learning. Ma built production-grade integration and validation testing software at the Bitcoin HFT Fund. During his time there, his trading systems had no notable issues and handled millions of dollars in investment capital.

The Quantstamp Co-Founders

Since their beginning, the Quantstamp team has performed several audits – one of them being on Request Network, a strategic partner. They’ve also audited numerous other projects including Wanchain and Omisego. Additionally, Binance utilized Quantstamp’s services to ensure that none of the ERC20 tokens on the exchange were affected by a critical overflow vulnerability.

Quantstamp Roadmap

Quantstamp accomplished quite a few of their roadmap milestones in 2018. Most notably, however, they released a beta on the Ethereum mainnet. Currently, their 2019 roadmap lacks detail, but we can assume that it will include a full launch on the Ethereum mainnet as well as continued auditing and updates.

The team has partnered with the University of Waterloo and has support from Y Combinator, the number one start-up accelerator in the world.

Competition

Quantstamp is a first-mover when it comes to automating smart contract auditing. The Bounty0x project is offering a bounty platform similar to Quantstamp’s bounty rewards but doesn’t have a software verification service. The closest competitors to Quantstamp are the security auditing firms already in the market like ConsenSys Diligence. Because the Quantstamp protocol is automated, it should scale better than its manual competitors.

Trading

Quantstamp held a successful ICO in November 2017 in which the team raised a little over $30 million dollars. They distributed 650 million (65%) QSP out of the 1 billion total supply to ICO participants at a price of $0.072 per token.

After the usual post-ICO volatility, the QSP price stabilized at around $0.10 (~0.000005 BTC) through the end of November. The price then followed the trend of the altcoin market and rose rapidly to an all-time high of $0.82 (~0.000051 BTC) at the beginning of January 2018.

Unfortunately, the QSP price hasn’t fared well for the remainder of 2018. The project seems to have been hit harder than most others in this bear market, falling drastically in the market cap rankings. It currently sits at a price of about $0.015 (~0.000004 BTC)

As more projects use the Quantstamp auditing service, there should be more demand for the QSP token. This demand should drive the price upward. However, the team offering manual auditing services in exchange for ETH and USD may cannibalize some of that demand. Keep your eye out for the launch date of the Quantstamp mainnet as that should have a positive influence on the price.

Where to Buy QSP

You can find QSP traded against Bitcoin and Ethereum with the most volume on either Binance or Huobi.

Where to Store QSP

QSP is an ERC20 token which means you can store it in any wallet with ERC20 support. MyEtherWallet is a community favorite when it comes to online wallets.

For more security, albeit at a higher price, the Ledger Nano S is a great hardware wallet for you to use.

Conclusion

Quantstamp is making smart contracts more secure through automated software testing and a system of bug bounties. Although starting with Ethereum, the team is building the protocol to be available on any dapp platform in the long run.

In an industry where security is a primary concern and bugs have caused the theft of millions of dollars, Quantstamp should help to legitimize blockchain projects and ensure that large-scale smart contract hacks are a thing of the past.

Editor’s Note: This article was updated by Steven Buchko on 11.28.18 to reflect the recent changes of the project.